Earlier this month, Forrester Research published the results of a survey that highlighted top priorities for IT decision makers. Improving BC/DR was the top priority for SMB organizations, and was #2 for large enterprises. This made me consider: when preparing for security, risk and continuity, what are the differences that organizational size makes ? I invited three SunGard consultants to share their thoughts on each area. Their responses are summarized in this table for you:
Security Viewpoint (Chris Burgher, CISSP, PMP, CISA – Associate Principal, Security)
“With information security, the main risk factors are the same when considering organization sizem and include compliance, brand & reputation issues if breached, and costs of losing data. Large enterprises generally will have multiple compliance requirements such as GLBA/HIPAA/SOX/PCI.FFIEC, while the SMB may have only one or two areas for regulations. An interesting dimension is that the large enterprise may also have an increased risk of insider attacks, simply because they are dealing with a larger employee population.”
Risk Viewpoint: (Mike Shandrowski, BC/DR Architect)
“The differences seem to be more from the perspective on how they address risk mitigation and not necessarily around the need for risk mitigation. From what I see, SMB clients tend to “self analyze” their risks more often, resulting in more of a Risk Analysis than a full Risk Assessment. For the enterprise, their Assessment will include an evaluation and statement of judgment on what the risks mean to their organization, the interrelationship between risks, and what to do next with that risk information.”
Continuity Viewpoint: (Bill Hughes, CBCP – Director, BC/DR Center of Excellence)
“The organization size – whether small or large – has both advantages and disadvantages related to their scale. SMB clients tend to say they “know” how things should work and how they should respond; in many cases, that is true because the close interactions across the organization means that knowledge hasn’t been segmented or isolated. Because they may lack certain critical mass, I will often find more single points of failure in this size organization, however. With that, you need to be looking at how the intellectual capital is managed and maintained in the organization. Those who know are often the busiest people, leading to a challenge during a crisis when they cannot effectively work on parallel activities to restore normal operations while directing a recovery effort off-site.”
Security, risk management and effective business continuity are closely linked, and reflect differences due to organization size; please share your insight in comments with how scale has effected your own organization.